The ndstrace says a failed authentication. To verify that the person was entering the correct password, I had him type his password into a notepad session and then copy and paste it for the login process.
987760384 LDAP: [2019/04/03 14:01:50.229] Failed to authenticate local on connection 0x12b23180, err = failed authentication (-669)
[QUOTE=jmozdzen;57357]Hi grahamch,
are you willing to share the configuration for pam_ldap? Both from the pam config file for ssh (or where-ever pam_ldad is included from, when going through /etc/pam.d/ssh) and the statements in /etc/ldap.conf, where I’m mostly interested in any DN mapping options (i. e. pam_login_attribute, pam_filter). Something you could check is whether you have pam_group_dn defined and for some reason the affected users aren’t member of that group (i. e. because some deployment process has problems with the initial “s” when adding users to that group, maybe years ago).
I’d also be interested in the results from tracing the LDAP queries, to see if the root cause is on PAM’s side or i. e. with the LDAP directory content.
Regards,
J[/QUOTE]
The only pam_ldap file I can find on the system is in /usr/share/doc/packages/pam_ldap/ and there is nothing set in that file for those options and the host is set to local host.
/etc/pam.d/sshd
#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
/etc/ldap.conf
uri ldaps://ldap2.Domain.local ldaps://ldap1.Domain.local
base ou=IT,ou=Branch,o=Org
nss_connect_policy persist
ssl yes
/etc/openldap/ldap.conf
[CODE]# LDAP Defaults
See ldap.conf(5) for details
This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT allow[/CODE]
The instructions we used for setting up the ldap connection is as follows:
[LIST=1]
[]Download Self-Signed Certificate from eDirectory CA (Export format should default to DER)
[]Copy the certificate to the SLES box
[]Connect to the SLES box (on console or via putty)
[]Copy the certificate to /usr/share/ssl
[]Execute openssl x509 -in /usr/share/ssl/.der -inform DER -out /usr/share/ssl/RootCert.pem -outform PEM
[]
[]edit /etc/openldap/ldap.conf
[]Add TLS_REQCERT allow and save the file
[]Run YaST on the SLES box
[]Navigate to Network Services | LDAP and Kerberos Client
[]Click Change Settings
[]Check Allow LDAP Users To Authenticate and Automatically Create Home Directory
[]Check Users
[]In Enter LDAP server locations, enter ldaps://ldap2.Domain.local ldaps://ldap1.Domain.local
[]In DN of Search Base enter ou=IT,ou=Branch,o=Org
[]Select Secure Communication via TLS
[]Click the Authentication via Kerberos tab
[]Click Add Realm
[]In the Realm name, enter Tree
[]Click OK
[]Click the Use a Directory as Identity Provider (LDAP) tab
[]Click Test Connection to ensure it is working
[]Click OK
[]Click OK
[/LIST]
thanks
Chris